Splunk Enterprise Security

Can you help me input Cisco AMP events to Splunk Enterprise Security?

PanIrosha
Path Finder

Hi,

I have installed Cisco AMP app on our indexer and i can see AMP events coming in. But, I can't see any malware information in the Splunk Enterprise Security (Security Domains > Endpoint Protection > Malware Center). ESS is installed on the search head and AMP index can be accessible from search head.

is there anything else to be configured in the search head in order to see information in the malware center?

Thank you in advance.

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

First check if the add-on is being imported by ES:
http://docs.splunk.com/Documentation/ES/5.2.0/Install/ImportCustomApps
Then, check if the add-on contains data that is mapped to the CIM data models used to populate that dashboard panel. Check to see which parts of the data model need to have data in them to appear on that dashboard panel:
http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Dashboardrequirements
And then check the data model to see if it has data:
http://docs.splunk.com/Documentation/CIM/4.12.0/User/UsetheCIMtonormalizedataatsearchtime#6._Validat...

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

First check if the add-on is being imported by ES:
http://docs.splunk.com/Documentation/ES/5.2.0/Install/ImportCustomApps
Then, check if the add-on contains data that is mapped to the CIM data models used to populate that dashboard panel. Check to see which parts of the data model need to have data in them to appear on that dashboard panel:
http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Dashboardrequirements
And then check the data model to see if it has data:
http://docs.splunk.com/Documentation/CIM/4.12.0/User/UsetheCIMtonormalizedataatsearchtime#6._Validat...

smoir_splunk
Splunk Employee
Splunk Employee

Is the app being imported by Splunk Enterprise Security? http://docs.splunk.com/Documentation/ES/5.2.0/Install/ImportCustomApps

0 Karma

PanIrosha
Path Finder

hi smoir,

i have managed to get the data to splunk enterprise security after go though all the links. thank you very much for your help

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Awesome! I summarized my comments for you as an answer 🙂

0 Karma

PanIrosha
Path Finder

Hi Smoir,

Thank you for replying.

no its not. the app is not using "TA-" naming convention when i uploaded to the search head. its using "amp4e_events_input" as its folder name in $SPLUNKHOME\etc\apps

i will follow this document and import the app as instructed. i will keep you posted.

0 Karma

PanIrosha
Path Finder

Hi Smoir

I have imported the cisco amp app to ES but still i cant see any data.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Does the add-on contain data that is mapped to the CIM data models used to populate that dashboard panel? You can check here:
http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Dashboardrequirements
to see which parts of the data model need to have data in them to appear on that dashboard panel
and also here:
http://docs.splunk.com/Documentation/CIM/4.12.0/User/UsetheCIMtonormalizedataatsearchtime#6._Validat...
to learn more about how to check the data model

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...